CentOS - Jun 2008 - Re: CentOS Digest, Vol 41, Issue 14, Network FS w/o user setup

> ------------------------------
> 
> Message: 11
> Date: Fri, 13 Jun 2008 14:01:14 -0500
> From: Les Mikesell <lesmikesell at gmail.com>
> Subject: Re: [CentOS] Network FS w/o user setup
> To: CentOS mailing list <centos at centos.org>
> Message-ID: <4852C3FA.6040901 at gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Johnny Hughes wrote:
> >
> > You would then need to setup "Samba Authentication" for your
Linux
> > Client machines.
> > 
> > The best method to do that depends on your business, who you have to 
> > interface with, what services you are running on the network, etc.
> > 
> > I run a Samba PDC (using LDAP as a backend) with Samba BDC's in
several
> > remote locations.  If you do not require ADS network, then this can
work
> > great as LDAP databases can be replicated from the PDC to the BDCs and
> > Linux machines can easily be setup to use LDAP for authentication.
> > 
> > However, if you need an ADS domain, then the LDAP method does not work
> > since Samba can not be a Domain Controller for ADS.  That would
require
> > you to be a Domain "Member Server" and enable samba
authentication for
> > Linux clients.
> 
> I've been able to use SMB authentication against an AD just by filling 
> in the entries in system-config-authentication.  I'm not sure if  that 
> requires any compatibility settings on the AD side or not - it just 
> worked for me so I didn't ask questions.   The down side is that you do
> have to add the users and maintain groups on the linux side which isn't
> too difficult if they don't change a lot, just
> adduser -u uid -g gid login_name
> with the same values on all the boxes and copy changes to /etc/group 
> around. The up side is that you can control which users have access 
> separately and only have to deal with passwords for users that aren't
in
> AD - and you don't have to ask permission to join the linux boxes to
the
> domain.
> 
> > The methods to do that are too hard to explain on list.  Much research
> > needs to be done on samba.org docs (assuming you already understand
the
> > whole Windows Domain concept and how it works on Windows).  The way
that
> > you will proceed is an infrastructure decision and based your
individual
> > needs and infrastructure.
> 
> Winbind can automatically create users from AD, but you have to join the 
> domain and I'm not sure what you have to do to coordinate the uid 
> mapping across machines so NFS shares work.
> 
> -- 
>    Les Mikesell
>     lesmikesell at gmail.com
> 
> 
> 
> ------------------------------
I moved a RHEL4 machine so that it could authenticate logins from a different 
ADS domain than the one I originally set it up for. I have done this before, 
and found it to be a bit of a pain to make UNIX UID/GIDs, to ADS SID mappings 
the same on multiple machines. I had found a utility called wbuser , 
http://www.occam.com/tools/README.wbuser-1.1 , that could delete and add the 
UID to SID mappings but did not work for GID to SID mappings. Fortunately, I 
found that I could just copy the Trivial Data Base (TDB) file called 
winbind_idmap.tdb from one machine to all the others, and then start the samba
 smb and winbind daemons afterwards. Since all the machines have the same
mappings,
they can share nfs mounts and the file and directory ownerships are consistent 
across the multiple machines.

Rodney Mercer